b'                                                         u.s. OFFICE OF PERSONNEL MANAGEMENT\n                                                                      OFFICE OF THE INSPECTOR GENERAL\n                                                                                       OFFICE OF AUDITS\n\n\n\n\n                                      Final Audit Report \n\n\nSubject:\n\n\n. AUDIT OF THE INFORMAnON TECHNOLOGY \n\n         SECURITY CONTROLS OF THE \n\n. U.S. OFFICE OF PERSONNEL MANAGEMENT\'S \n\n            INTEGRATED SECURITY \n\n            MANAGEMENT SYSTEM \n\n                   . FY2009 \n\n                                               Report No. 4A-CJ-OO-09-0S2\n\n\n                                               Date:                   \'August 10,                20\xc2\xb09\n\n\n\n\n                                                               --CAUTION-\nTill.!; HId;! reprwll"u keD distribuTed to F\xc2\xabIual offici1lls ,.\'ho I r t respoosiblt for lilt tlhnillisu-alioll of \'b~ IBwt(U pl\'ognru. Tbi$lUdil\nn:pnrt m~,. (011(.1;11 po-oprit\'llf)\' d~t" "lIltb is jlr\\llc(ltd by Federal bw (18 V.S.c. 1905). l\'bfltf... tt, while Ihis auElit report is .v.Hablf\nundtr llu F,\'\xc2\xabdom _oO"renuaIOoli AU_lid m.dt ",,,;tibbie I.., Hit public 0)0 Ih~ OlG WtbpJgt"UMliollllfC.n h. b.e o erased bffl}n\n                                                                                                 ""$\nrtlcJ$i\'Elt !h~ reporl (0 the gutul l!llb/ie IS it JIl~ Y cl).. \'~iB I\'rIlJ-.rJtt~ty iDform~tiolJ Ih21 rtdatltd frolll the pu blidy lIi$lrilmluJ CUllY.\n\x0c                          UNITED STATES OFFICE OF PERSONNEL MANAOEMENT \n\n                                            Washillglon, DC 20415 \n\n\n   Office of the\nInspeclor G(JJ(ra]\n\n                                            Audit Report\n\n\n                             u.s. OH\'ICE OF PERSONNEL MANAGEMENT\n                        AUDIT OF TIlE INFORMATION TECHNOLOGY SECURITY \n\n                     CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\'S \n\n                           INTEGRA TED SECURITY MANAGEMENT SYSTEM \n\n                                              FY2009 \n\n\n                                           WASHINGTON, D.C.\n\n\n\n\n                                   Report No. 4A-CI-OO-09-0S2\n\n\n                                   Date:             August 1 Q .     2009\n\n\n\n\n                                                                 ""Michael R. Esser\n                                                                  Assistant Inspector General\n                                                                     for Audits\n\n\n\n         ww.... opm.gav\n\x0c                         UNITED STATES OFRCE OF PERSONNEL MANAGEMENT \n\n                                                Wl:tshjngloo, DC 20415 \n\n\n  Office of the\nInspector General\n\n                                           Executive Summary\n\n                              u.s. OFFICE OF PERSONNEL MANAGEMENT\n\n                       AUDIT 0)\' THE IN}\'ORMATION TECHNOLOGY SECURITY\n                    CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n                          INTEGRATED SECURITY MANAGEMENT SYSTEM\n                                             FY2009\n\n                                              WASHINGTON, D.C.\n\n\n\n\n                                       Report No. 4A-CI-OO-09-0S2\n\n\n                                       Date:             August 10, 2009\n\n        TIllS final audit rcport discusses the results of our review of the infonnation technology security\n        controls of the U.S. Office of Personne) Management\'s (OPM) lntegrated Security Management\n        System (ISMS). Our conclusions ate detailed in the "Results" section of this report.\n\n        The results of our audit are summarized below:\n\n        \xe2\x80\xa2 \t OPM\'s legacy physical security system, Identipass, was decommissioned on January 23,\n             2009, and was replaced by the new ISMS system on that date. ISMS went through a\n            ,certification and accreditation process prior to being placed into production. Although an\n             accreditation statement was signed prior to placing the system into production, a certification\n             letter had not been signed at this time. The certification letter for ISMS was signed\n             retroactively by OPM\'s acting Jnfonn3tion Technology Security Officer.\n        \xe2\x80\xa2 \t A security categorization analysis was performed for ISMS. We determined that this\n            evaluation was compliant with Federal Information Processing Standards Publication 199\n            and Na\'tional Institute of Standards and Technology (N1ST) requirements, and agrees ",>ith\n            the over.ill security categorization of moderate for ISMS.\n        \xe2\x80\xa2 \t An information system security plan was developed for ISMS using the security plan\n            template outJjned in the NIST Special Publication 800-18 Revision 1, Guide for Developing\n            Security Plans for Federal Information Systems.\n\n\n                                           - - - - - i - -- - --             - --        -   -   --=-        =\n                                                                                                  ......... o.luJobs .IOV \n\n\x0c\xe2\x80\xa2 \t An independent security control test and evaluation was perfonned for ISMS during the\n    certification and accreditation process.\n\xe2\x80\xa2 \t A self-assessment of security controls was not required for ISMS in fiscal year 2009.\n\xe2\x80\xa2 \t A contingency plan has been developed and tested for ISMS. However, the contingency plan\n    could be improved with additional details for the recovery procedures and by assigning\n    specific individuals to the recovery tearns outlined in the contingency plan.\n\xe2\x80\xa2 \t A plan of action and milestones document has been created for ISMS to track security\n    weaknesses of the system, although it did not prioritize the identified security weaknesses.\n\xe2\x80\xa2 \t We independently tested 22 security controls for ISMS and found that 4 of the security\n    controls were not in place during the fieldwork phase of the audit. Three of the four failed\n    controls were corrected during the reporting phase of the audit, but the fourth control has not\n    been implemented.\n\n\n\n\n                                                 ii\n\x0c                                                                 Contents \n\n\nExecutive Summary ..........................................................................................................................i \n\nIntroduction ..................................................................................................................................... 1 \n\nBackground...................................................................................................................................... 1 \n\nObjectives ........................................................................................................................................ 1 \n\nScope and Methodology .................................................................................................................. 2 \n\nCompliance with Laws and Regulations ......................................................................................... 3 \n\nResults ............................................................................................................................................. 4 \n\n        L Certification and Accreditation ........................................................................................... 4 \n\n       II. Federal Information Processing Standards Publication 199 Analysis ................................ .4 \n\n      III. Information System Security Plan .......................................................................................5 \n\n     IV. Independent Security Control Testing and Risk AssessmenL ............................................5 \n\n      V. Security Control Self-Assessment ....................................................................................... 6 \n\n     VI. Contingency Planning ..........................................................................................................6 \n\n    VII. Plan of Action and Milestones Process ............................................................................... 8 \n\n  VIII. NIST SP 800-53 Evaluation ................................................................................................ 9 \n\nMajor Contributors to this Report ................................................................................................. 12 \n\nAppendix: Center for Security and Emergency Actions\' July 15,2009 response to the OIG\'s \n\n          draft audit report, issued June 25,2009. \n\n\x0c                                         Introdnction \n\nOn December 17,2002, President Bush signed into law the E-Government Act (P.L. 107-347),\nwhich includes Title III, the Federal Infonnation Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (lG) evaluations, (3) agency\nreporting to the Office of Management and Budget COMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we evaluated the infonnation technology\n(IT) security controls related to the Office of Personnel Management\'s (OPM) Integrated\nSecurity Management System (ISMS).\n\n                                         Background\nISMS is one ofOPM\'s 41 critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perfonn an audit ofIT security controls of this system, as well as all of\nthe agency\'s systems on a rotating basis.\n\nThe Center for Security and Emergency Actions (CSEA) has been designated with ownership of\nISMS. ISMS is used to monitor and control employee, visitor, and guest access to OPM\'s\nTheodore Roosevelt Building (TRB) in Washington, D.C. The system is also used to limit\naccess into designated restricted or controlled areas within the TRB. The primary component of\nISMS is the C*Cure ID Badging system, which utilizes electronic access cards to operate\nnetwork based access panels, door locks, turnstyles, and card readers.\n\nThis was our first audit of the security controls surrounding ISMS. We discussed the results of\nour audit with CSEA representatives at an exit conference.\n\n                                          Objectives\nOur overall objective was to perfonn an evaluation of security controls for ISMS to ensure that\nCSEA officials have implemented IT security policies and procedures in accordance with\nstandards established by OPM\'s Center for Information Services (CIS).\n\nThese policies and procedures are designed to assist program office officials in developing and\ndocumenting IT security practices that are in substantial compliance with FISMA, as well as\nOMB regulations and the Natioual Institute of Standards and Technology (NIST) guidance.\n\nOPM\'s IT security policies and procedures require managers of all major and sensitive systems\nto complete a series of steps to (1) certify that their system\'s infonnation is adequately protected\nand (2) authorize the system for operations. The overall audit objective was aceomplished by\nreviewing the degree to which a variety of these security program steps have been implemented\nfor ISMS, including:\n\n\xe2\x80\xa2   Certification and Accreditation (C&A);\n\xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199 Analysis;\n\n\n\n                                                  1\n\x0c\xe2\x80\xa2\t   Information System Security Plan;\n\xe2\x80\xa2\t   Independent Security Control Testing and Risk Assessment;\n\xe2\x80\xa2\t   Security Control Self-Assessment;\n\xe2\x80\xa2\t   Contingency Planning;\n\xe2\x80\xa2\t   Plan of Action and Milestones (POA&M) Process; and\n\xe2\x80\xa2\t   Evaluation ofNIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Govermnent Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of CSEA officials\nresponsible for ISMS, including IT security controls in place as of June 2009.\n\nWe considered the ISMS internal control structure in planning our audit procedures_ These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives ofOPM\'s CSEA office and other\nprogram officials with ISMS security responsibilities_ We reviewed relevant OPM IT policies\nand procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate,\nwe conducted compliance tests to determine the extent to which established controls and\nprocedures are functioning as required.\n\nDetails ofthe security controls protecting the confidentiality, integrity, and availability oflSMS\nare located in the "Results" section oftrus report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on the ISMS\nsystem of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\n\xe2\x80\xa2 \t OPM IT Security Policy;\n\xe2\x80\xa2 \t OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2 \t E-Govermnent Act of2002 (PL. 107-347), Title III, Federal Information Security\n    Management Act of2002;\n\xe2\x80\xa2 \t NIST SP &00-12, An Introduction to Computer Security;\n\xe2\x80\xa2 \t NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2 \t NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2 \t NIST SP &00-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2 \t NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\xe2\x80\xa2 \t NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n    Systems;\n\n\n\n                                                 2\n\n\x0c\xe2\x80\xa2 \t NIST SP 800-60 Volume II, Guide for Mapping Types ofInformation and Information\n    Systems to Security Categories;\n\xe2\x80\xa2 \t Federal Information Processing Standard 199, Standards for Security Categori:z.ation of\n    Federal Information and Information Systems; and\n\xe2\x80\xa2 \t Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally \'accepted government auditing standards issued by the Comptroller\nGeneral of the United States.                                                             \'\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from April through July\n2009, in OPM\'s Washington, D.C. office.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether CSEA\'s management ofISMS\nis consistent with applicable standards. Nothing came to the OIG\'s attention during this review\nto indicate that CSEA is in violation of relevant laws and regulations.\n\n\n\n\n                                                3\n\n\x0c                                                  Results \n\n     This section details the results of our audit of ISMS.\n\nI.        Certification and Accreditation\n\n          OPM\'s legacy physical security system, ldentipass, was decommissioned on January 23,\n          2009, and was replaced by the new ISMS system on that date.\n\n          The security certification process for ISMS was facilitated by contractors from the\n          Department of Treasury\'s Bureau of Public Debt (BPD). On January 22; 2009, a\n          representative from BPD signed a memorandum stating that the security certification work\n          was complete, and that the package was ready for official certification and accreditation via\n          the signing of a certification letter and accreditation memo. On January 23, the ISMS\n          Designated Accrediting Authority (DAA) signed an accreditation statement authorizing the\n          system to operate. However, a certification letter had not been signed at this time. The\n          certification letter for ISMS was signed retroactively by OPM\'s acting Information\n          Technology Security Officer (ITSO) on March 30, 2009.\n\n          NIST SP 800-37 suggests that the certification agent, which at OPM has traditionally been\n          the ITSO, review the complete certification package prior to accreditation phase. The\n          authorizing official relies on the ITSO\' s input from the security accreditation phase to\n          determine the risk to agency operations, agency assets, or individuals.\n\n          For future C&As ofISMS,the ITSO should review the certification package and sign the\n          certification statement prior to presenting the package to the DAA for authorization.\n\nII.       . Federal Information Processing Standards Publication 199 Analysis\n\n          FIPS Publication J99, Standards for Security Categorization of Federal Information and\n          Information Systems, requires the formal categorization of information systems to ensure\n          that the appropriate levels of information security controls are implemented.\n\n          NISI SP 800-60 Volume I "Guide for Mapping Types of Information Systems to Security\n          Categories," provides an overview of the security objectives and impact levels identified in\n          FIPS Publication 199.\n\n          Ihe security categorization analysis for ISMS considered the potential level of impact (low,\n          moderate, high) that would result from a loss of confidentiality, integrity, or availability of\n          the system.\n\n          The OIG determined that this evaluation was compliant with FIPS Publication 199 and\n          NIST requirements, and agrees with the overall security categorization of moderate lor\n          ISMS.\n\n\n\n\n                                                      4\n\n\x0cIII.   Information System Security Plan\n       FIPS Publication 200, Minimum Security Requirements for Federal Information and\n       Information Systems, specifies the security requirements that mu~i be.implemented on all\n       federal information systems. Federal agencies must implement the minimum security\n       requirements defined in FIPS Publication 200 through the use of the security controls\n       outlined in NIST SP 800-53, Recommended Security Controls for Federal Information\n       Systems. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal\n       Information Systems, requires that these controls be documented in an information systems\n       security plan (ISSP) for each system, and provides guidance for doing so.\n\n       BPD developed the ISSP for ISMS utilizing the security plan template outlined in NIST SP\n       800-18. The ISMS ISSP was reviewed and approved by the system\'s Designated Security\n       Officer (DSO) and DAA on January 23, 2009. In accordance with NIST SP 800-18, the\n       ISMS ISSP contained the following elements:\n       \xe2\x80\xa2   System Name and Identifier;\n       \xe2\x80\xa2   System Categorization;\n       \xe2\x80\xa2   System Owner;\n       \xe2\x80\xa2   Authorizing Official;\n       \xe2\x80\xa2   Assignment of Security Responsibility;\n       \xe2\x80\xa2   System Operational Status;\n       \xe2\x80\xa2   Information System Type;\n       \xe2\x80\xa2   General DescriptionlPurpose;\n       \xe2\x80\xa2   System Envirorunent;\n       \xe2\x80\xa2   System Interconnection/Information Sharing; and\n       \xe2\x80\xa2   Laws, Regulations, and Policies Affecting the System.\n\n       The ISSP also outlines the information security controls that are implemented or planned to\n       be implemented for ISMS. For each of the 17 security control families outlined in NIST\n       SP 800-53, the ISMS security plan describes the manner in which these control objectives\n       are satisfied for this system.\n\nIV.    Independent Security Control Testing and Risk Assessment\n       As part of.the C&A process, BPD conducted a risk assessment and security control testing\n       and evaluation for ISMS. We believe that the testing and evaluation by BPD addressed the\n       critical elements suggested for the risk assessment process by NIST SP 800-30, Risk\n       Management Guide for Information Technology Systems.\n\n       BPD developed a Security Assessment Plan (SAP) to document the methodology and\n       scope for the security control testing. The SAP outlines the various assessment methods to\n       be used during the review, and details the procedures to be followed during the risk\n       assessment activities. The testing procedures included, but were not limited to, examining\n       and reviewing assessment objects, interviewing individuals with ISMS security and\n       operational responsibility, and exercising assessment objects under specified conditions to\n\n\n\n                                                 5\n\n\x0c      compare actual with expected behavior. BPD also conductcd an automated vulnerability\n      scan of the servers housing ISMS using Retina network vulnerability scanner.\n\n      The security control testing was conducted by BPD employees who are independent from\n      ISMS and the CSEA program office that owns the system. BPD created a baseline of\n      security controls that are applicable to ISMS based on its FIPS Publication 199 security\n      categorization of \' moderate.\' The tested security controls were derived from NIST SP 800\xc2\xad\n      53 Revision 2, Recommended Security Controls for Federal Information Systems. The\n      OIG verified that the appropriate controls were included in the scope of this review. For\n      each tested control, BPD determined whether the control objective was fully satisfied,\n      partially satisfied, or not applicable.\n\n      The results of the security control testing were recorded in a Security Assessment Report\n      (SAR). The SAR contains assessment ofthe risk associated with the security weaknesses\n      found during the assessment along with recommendations for addressing these\n      weaknesses. The vulnerabilities and weaknesses detected during the testing process were\n      grouped into 14 itemized findings, each weighted with a high, medium, or low risk rating.\n      These findings were appropriately transferred to the ISMS POA&M.\n\nV.    Security Control Self-Assessment\n\n      FISMA requires that the NIST SP 800-53 security controls of eaeh federal information\n      system be tested on an annual basis. In December 2008, an independent contractor\n      conducted a test ofISMS\'s management, operational, and technical controls as outlined in\n      NIST SP 800-53. Therefore, an internal self-assessment of these controls was not required\n      in fiscal year (FY) 2009. The OIG will verify that a self~assessment ofNIST SP 800-53\n      controls is conducted for this system in FY 2010 as part of the 20 I 0 general FISMA audit\n      process.\n\n      See section IV for a review of the independent security controls test for ISMS,\n\nVI.   Contingency Planning\n\n      NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n      contingency plarming, execution, and testing are essential to mitigate the risk of system and\n      service unavailability. The OPM IT security policy requires that OPM general support\n      syStems and major applications have viable and logical disaster recovery and contingency\n      plans, and that these plans he annually reviewed, tested, and updated.\n\n      CSEA has documented a contingency plan for ISMS that contains procedures to recover\n      the system following a disruption. Although the ISMS contingency plan contains the\n      majority of critical elements suggested by the NIST guide, several areas of the contingency\n      plan could be improved with additional details and more specific instructions.\n\n      Two steps \\vithin the contingency plan\'s procedures to return to normal operations are to\n      "Install latest application code on application servers" and to "Test application to ensure\n\n\n\n                                                 6\n\n\x0cbusiness needs are met ...." However, tbere are no further instructions on how these steps\nshould be completed.\n\nFailure to itemize thc detailed steps involved in the reeovery process increases the risk that\nthe recovery team will encounter problems or delays in restoring the system. NIST SP\n800-34 states that "Recovery procedures should be written in a straightforward, step-by\xc2\xad\nstep style. To prevent difficulty or confusion in an emergency, no procedural steps should\nbe assumed or omitted. A checklist format is useful for documenting the sequential\nrecovery procedures and for troubleshooting problems jfthe system cannot be recovered\nproperly."\n\nIn addition, the ISMS contingency plan establishes several teams assigned to participate in\nrecovering ISMS operations, but the contact list (call tree) within the document does not\nidentifY which individuals are assigned to the various teams. Failure to properly assign\nindividuals to specific teams increases the risk that recovery team members will not be\naware of their specific responsibilities in a disaster recovery situation. NIST SP 800-34\nstates that "Personnel to be notified should be clearly identified in the contact lists\nappended to the plan. This list shOUld identifY personnel by their team position, name, and\ncontact information (e.g., home, work, and pager numbers, e-mail addresses, and home\naddresses)."\n\nThe ISMS contingency plan was tested on May 28, 2009. The test was a table-top exercise\nthat involved a simulated walkthrough of the steps outlined in the contingency plan.\nAlthough CSEA documented the simulated results for each component of the contingency\nplan, the testing report did not contain the detailed step-by-step approach suggested by\nNIST guidance.\n\nRecommendation 1\nWe recommend that CSEA continue to develop and improve the ISMS contingency plan.\nThis includes, but is not limited to, adding specific and detailed steps to the recovery\nprocedures and assigning specific individuals to the various recovery teams. CSEA should\nconduct another test of the contingency plan after the plan has been modified.\n\nCSEA Response:\n"Concur. The ISMS contingency plan will continue to be developed and improved as the\nsystem and network evolve and lessons learned result ill continued improvements. The\ncurrent ISMS COlltingency Plan has been updated to include specific recovery steps and\nto assign speci}zc individuals to roles alld teams. Afollow-up exercise was conducted to\ntest the added procedures. Updated Contingency Plan and most recent Contingency Plan\ntest results are included in the accompanying data disc. "\n\nOIG Reply:\nWe acknowledge the steps CSEA has taken to improve the ISMS contingency plan.\nHowever, the updated version of the contingency plan continues to lack specific\n\n\n\n\n                                            7\n\x0c     instructions for several recovery procedures. For example, one step reads "Test all\n     applications associated with the entire ISMS," but no further instructions are provided.\n\n     In addition, the updated contingency plan does not assign specific individuals to the four\n     recovery teams (data management team, storage recovery team, applications recovery team,\n     and business interface team). Job titles were added for each individual on the call tree, but\n     there is no indication of which team these individuals are assigned to.\n\n     We continue to recommend that CSEA improve the contingency plan for ISMS. We will\n     follow up on the status of this recommendation as part of the FY 2010 FISMA audit.\n\nVII. Plan of Action and Milestones Process\n\n     As part of the C&A Process, BPD provided CSEA with a POA&M document outlining 14\n     security weaknesses detected during the C&A security control testing. All weaknesses and\n     vulnerabilities detected during the C&A process were appropriately included on the ISMS\n     POA&M. Although this POA&M generally adhered to the POA&M format required by\n     OPM\'s CIS, the ISMS POA&M did not prioritize the identified security weaknesses.\n\n     On March 13, 2009, CSEA updated the ISMS POA&M and submitted it to CIS for the FY\n     2009 second quarter FISMA report to OMB. The March 13 POA&M indicated that all 14\n     weaknesses had been addressed.\n\n     For each of the security weaknesses labeled as "closed", the OIG verified that adequate\n     "proof of closure" (evidence that the weakness has been alleviated) was provided to OPM\'s\n     CIS. The OIG also independently verified that the proof of closure documentation\n     adequately supports CSEA\'s position that each of the controls is now in place.\n\n    . . Recommendation 2\n     We recommend that ISMS edit its POA&M template to facilitate the prioritization of\n     weaknesses.\n\n     CSEA Response:\n     "Concur. CSEAhas edited its current POA&M list, which serves as the CSEA ISMS\n     POAM template, to include a column called \'PrioritylRisk\' to faciluate a risk-based\n     prioritization ofremediation activities. A copy ofthe current CSEA ISMS POA&M List\n     is included in the accompanying data disc. "\n\n      OIG Reply:\n     We acknowledge the steps that CSEA has taken to improve the ISMS POA&M. No further\n     action is required.\n\n\n\n\n                                                8\n\n\x0cVIII. NIST SP 800-53 Evaluation\n\n     NIST SP 800-53 provides guidance for implementing a variety of security controls for\n     information systems supporting the federal government. The 010 tested a subset of these\n     controls for ISMS as part of this audit, including:\n\n     \xe2\x80\xa2   AT-3: Security Training                       \xe2\x80\xa2   CP-3: Contingency Plan Testing\n     \xe2\x80\xa2   AU-J: Audit and Accountability                \xe2\x80\xa2   IA-4: Identifier Management\n     \xe2\x80\xa2   AU-2: Auditable Events                        \xe2\x80\xa2   MP-5: Media Transport\n     \xe2\x80\xa2   CA-2: Security Assessments                    \xe2\x80\xa2   PE-2: Physical Access Authorizations\n     \xe2\x80\xa2   CA-4: Security Certification                  \xe2\x80\xa2   PE-8: Access Records\n     \xe2\x80\xa2   CA-5: Plan of Action and Milestones           \xe2\x80\xa2   PL-2: System Security Plan\n     \xe2\x80\xa2   CA-6: Security Accreditation                  \xe2\x80\xa2   PL-4:. Rules of Behavior\n     \xe2\x80\xa2   CM-3: Configuration Change Control            \xe2\x80\xa2   PL-5: Privacy Impact Assessment\n     \xe2\x80\xa2   CM-4: Monitoring Configuration Changes        \xe2\x80\xa2   PSA: Personnel Termination\n     \xe2\x80\xa2   CM-6: Configuration Settings                  \xe2\x80\xa2   RA-5: Vulnerability Scarming\n     \xe2\x80\xa2   CP-2: Contingency Plan                        \xe2\x80\xa2   SC-2: Application Partitioning\n\n     These controls were evaluated by interviewing individuals with ISMS security\n     responsibilities, reviewing documentation and system screenshots provided by CSEA,\n     viewing demonstrations of system capabilities, and conducting tests directly on the system.\n\n     Although it appears that CSEA has successfully implemented the majority ofNIST SP 800\xc2\xad\n     53 security controls for ISMS, several tested controls were not fully satisfied:\n\n     a) AU-J Audit and Accountability Policy and Procedures\n         CSEA has established audit procedures for ISMS that state the system administrator\n         must review audit logs on a weekly basis to search for suspicious activity.\n         However, during the fieldwork phase of this audit, there was a single system\n         administrator with the ability to retrieve system logs, and no procedures in place to\n         review the activity of this administrator. The administrator was the only individual\n         with the ability to change ISMS\'s sensitive application-level settings, and was also the\n         only individual capable of reviewing this activity. A second individual has since been\n         assigned administrator privileges.\n\n         NIST SP 800-53 Revision 2 requires that each system have a "formal, documented,\n         audit and accountability policy that addresses purpose, scope, roles, responsibilities,\n         management commitment, coordination among organizational entities, and\n         compliance ...."\n\n         Recommendation 3\n         We recommend that CSEA expand the ISMS audit procedures to include a process for\n         reviewing the activities of the system administrator.\n\n\n\n\n                                                 9\n\x0c   CSEA Response:\n   "Concur. An update was made to tlte CSEA ISMS Audit Procedures, which define the\n   role ofan Alternate System Administrator and the responsibility and processlprocedures\n   10 review the ISMS audit logs on at least a monthly basis. The updated audit procedures\n   are included in the accompanying data disc."\n\n   OIG Reply:\n   We acknowledge the steps tlm! CSEA has taken to improve the ISMS audit procedures.\n   No further action is required.\n\nb) IA-4 Identifier Management\n   ISMS user accounts exist that are shared by multiple individuals. Although the\n   accounts were not administrator accounts, they did have access privileges that, if\n   abused, could jeopardize ISMS\'s ability to ensure physical security of aPM facilities.\n   Although one shared account was disabled during the fieldwork portion of this audit, a\n   second shared account still exists.\n\n   NIST SP 800-53 Revision 2 states each system must uniquely identify each user.\n\n   Recommendation 4\n   We recommend that CSEA disable all shared user accounts for ISMS, and enforce the\n   use of individual accounts for all users.\n\n   CSEA Response:\n   "Concur. All shared accounts have been disabled or deleted. A screen shot (ISMS\n   User ReporI6-29-09.pdj) is included in the accompanying data disc."\n\n   OIG Reply:\n   We acknowledge the steps that CSEA has taken to disable shared user accounts. No\n   further action is required.\n\nc) CM-3/6 Configuration Change Control/Configuration Settings\n   CSEA has established account management procedures for ISMS that state\n   "Configuration management responsibilities include maintaining an updated baseline\n   configuration for the ISMS (C*CURE) applications and then tracking changes as they\n   occur." However, no baseline configuration exists. In addition, although ISMS\n   automatically logs changes to configuration settings, no procedures exist to fonnally\n   approve and manage configuration changes.\n\n   NIST SP 800-53 states that organizations should document a system\'s baseline\n   configuration settings, a.nd manage configuration changes using a process that involves\n   fonnally evaluating and approving each change.\n\n\n\n\n                                         10\n\x0c   Recommendation 5\n   We recommend that CSEA document a baseline configuration for ISMS\'s application\n   level settings and develop procedures for requesting and approving changes to these\n   settings,\n\n   CSEA Response:\n   "Concur. The baseline configuration for ISMS has been developed and procedures for\n   Configuration Management are contained in section 4.B ofthe updated \'CSEA ISMS,\n   System and Account Management Procedures\' dated July6, 2009."\n\n   DIG Reply:\n   Although the updated System and Account Management Procedures contain procedures\n   for requesting and approving configuration changes, CSEA\'s response to the draft\n   report did not contain evidence indicating that a baseline system configuration has been\n   documented.\n\n   We continue to recommend that CSEA document a baseline configuration for ISMS\'s\n   application level settings. We will follow up on the status of this recommendation as\n   part of the FY 2010 FISMA audit.\n\nd) PL-4 Rules of Behavior\n   CSEA has established a set of rules for ISMS that descri bes their responsibilities and\n   expected behavior with regard to information system usage. However, not all ISMS\n   users have formally acknowledged their understanding of the rules of behavior.\n\n   NIST SP 800-53 states that system owners must receive "signed acknowledgement\n   from users indicating that they have read, understand, and agree to abide by the rules of\n   behavior ...."\n\n   Recommendation 6\n   We recommend that CSEA have all ISMS users sign the rules ofbehavior document.\n\n   CSEA Response: \n\n   "Concur. All ISMS users (federal employees and contract guard personnel) have signed \n\n   the Rules ofBehavior document." \n\n\n   OIGReplv: \n\n   We acknowledge the steps that CSEA has taken to have ISMS users sign a rules of\n   behavior document. No further action is required.\n\n\n\n\n                                          11 \n\n\x0c                            Major Contribntors to this Report \n\n\nThis audit report was prepared by the U.S. Office OfPCISOJffi\xc2\xa5l Management, Office ofInspector\nGeneral, lnfonnation Systems Audits Group. _The following individuals participated in the audit\nand the preparation of this report :\n\n\xe2\x80\xa2                   Group Chief\n\xe2\x80\xa2                     Auclitor-in-Charge\n\n\n\n\n                                              12 \n\n\x0c                                         Appendix \n\n                                                                   July IS, 2009\n\nMEMORANDUM \n\n\n                        lllfonnation Systems Audit Group\n                        Office of Inspector General\n\nFROM: \n\n\n                        Center for Security and Emergency Actions\n\nSubject: \t              CSEA Response to OPM Office of Inspector General (OIG) Draft\n                        Report No. 4A-CI-00-09-S2, June 25, 2009.\n\n\nThe Center for Security and Emergency Actions has reviewed the OIG\'s draft audit\nreport and concurs with the Inspector General\'s six recommendations to improve the\nsecurity posture of the Integrated Security Management System (ISMS). The remainder\nof thrs memorandum references the individual recommendations and CSEA\'$ actions to\nimplement them.\n\nEvidence suppo.rting the implementation of OIG recommendations are provided on a\ndata disk with this report (Folder: CSEA ISMS OIG Response, July 2009).\n\nRecommendation 1: \n\nDevdop and improve the ISMS contingency plan to include, but not limited to: \n\n   a. Adding specific and detailed steps to recovery procedures.\n   b. Assign specific individuals to the variolls recovery teams.\n  c. Conduct a follow-up test of the contingency plan after modifications.\n\n       Response: Concur\nThe ISMS contjngcncy plan wiJl continue to be developed and improved as the system and\nnetwork evolve and lessons learned result in continued improvements. The current iSMS\nContingency Plan has been updated to include specific recovery steps and to assign specific\nindividuals to roJes and teams. A follow-up exercise was conducted to test the a.dded procedures.\nUpdated Contingency Plan and most recent Contingency Plan test results are included in tbe\naccompanying data disc.\n\nRecommendation 2: \n\noro recommends that ISMS edit its POA&M template to facilitate the prioritization of \n\nweaknesses. \n\n        Response: Concur\nCSEA has edited its current POA&M list, which serves as the CSEA ISMS POAM template, to\ninclude a column caBcd "PrioritylRisk" to facilitate a risk-based prioritization of remediation\n\x0cactivities. A copy of the current CSEA ISMS POA&M List is included in the accompanying \n\ndata disc. \n\n\nRecommendation 3: \n\nOIG recommends that CSEA expand the ISMS audit procedures to include a process for reviewing \n\nthe activities of the system administrator. \n\n\n       Response: Concnr\nAn update was made to the CSEA ISMS Audit Procedures, which define the role of an Alternate\nSystem Administrator and the responsibility and process/procedures to review the ISMS audit logs\non at least a monthly basis. The updated audit procedures are included in the accompanying data\ndisc.\n\nRecommendations 4: \n\nOIG recommends that CSEA disables all shared accounts for ISMS, and enforce the use of \n\nindividual accounts for all users. \n\n\n       Response: Concur\nAll shard accounts have been disabled or deleted. A screen shot (ISMS User Report 6-29-09.pdf)\nare included in the accompanying data disc.\n\nRecommendation 5: \n\nOIG recommends that CSEA document a baseline configuration for ISMS\'s application level \n\nsettings, and develop procedures for requesting and approving changes to these settings. \n\n\n       Response: Concur\nThe .baseline configuration for ISMS has been developed and procedures for Configuration\nManagement are contained in section 4.B of the updated "CSEA ISMS, System and Account\nMan[lgement Procedures." dated July 6, 2009.                             .\n\nRecommendation 6: \n\nOIG recommends that CSEA have all ISMS users sign the rules of behavior documents. \n\n\n       Response: Concur\nAll ISMS users (federal employees and contract guard personnel) have signed the Rules of Behavior\ndocument.\n\x0c'